The Environmental Protection Agency’s (EPA) Inspector General conducted an audit of the agency’s cybersecurity and information security policies but will not release the full report, noting privacy issues.
The agency has 30 systems that contain personally identifiable information (PII), according to the At a Glance summary of the inspector general report. The audit is not being made available to the public “due to the sensitive nature of the information identified,” the At a Glance summary stated.
The report summary said the environmental agency “does not own any systems that include national security information.” The IG report was required by the Cybersecurity Act of 2015. The report sampled two of the agency’s 30 systems that include sensitive PII.
The report also provided information about access controls and multifactor authentication used to protect the network, methods used to detect exfiltration, and procedures used to ensure third-party service providers are following the information security guidelines required by the cybersecurity legislation.